The recommended way to use User IDs (Ory identity IDs) in your application logic is to treat them as the primary link between Ory-managed identities and your application's user records. Here’s how and when to store them: - Store the Ory identity ID in your application database: When a user registers or an identity is created in Ory, use Ory Actions (webhooks) to notify your backend. Upon receiving this webhook, create a corresponding user record in your application database and store the Ory identity ID (the unique identifier from Ory) in a dedicated field. This allows you to map Ory identities to your internal user records. - Linking Ory identity and internal user: It is recommended to store your internal user ID in the Ory identity’s

metadata_public

field (e.g.,

identity.metadata_public.id

). This ensures that you can easily map between Ory identities and your internal user records during authentication and authorization flows. - When to store: Store the mapping as soon as the identity is created—typically right after user registration or import. This is usually handled in the webhook handler that processes Ory Actions events. - Why this approach: This separation ensures that authentication and identity management are handled by Ory, while your business logic and additional user data remain in your own database. It also makes it easy to authenticate API requests: when a request comes in, validate the session with Ory, retrieve the identity ID, and use it to look up the corresponding user in your database. Summary of steps: 1. Configure Ory Actions to send webhooks after identity events. 2. On receiving a webhook, create a user record in your database and store the Ory identity ID. 3. Optionally, store your internal user ID in the Ory identity’s

metadata_public

field for easy mapping. 4. Use the Ory identity ID as the reference for authentication and linking to your business logic. This approach is explicitly recommended in the Ory documentation: > Establish a connection between the Ory identity and the user record in your database by storing the

user.id

in

identity.metadata_public.id

. This ensures that subsequent API calls can easily map the Ory identity to the correct internal user. More about metadata in the [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata) documentation. > Now when the frontend makes API calls containing the Ory cookie or token, the backend should verify the session using the whoami API endpoint. This endpoint returns the session details, including the identity, allowing the backend to authenticate the request and link it to the internal user record. [Integrate backend](https://www.ory.sh/docs/migrate-to-ory#integrate-backend) This ensures a clean separation of concerns and robust integration between Ory and your application logic.